Firewall Wizards mailing list archives
Re: Defense in Depth to the Desktop
From: "Kevin Sheldrake" <kev () electriccat co uk>
Date: Tue, 07 Dec 2004 10:45:28 -0000
Sounds a lot like Domain Based Security (not Windows 'domains', obviously). I did knock a simple paper together once that described similar concepts, albeit at a 'management' level rather than a 'wiggly amps' level. It probably needs an overhaul, but can be read at www.bournemouthbynight.co.uk. Kev
Defense in Depth to the Desktop the Strong Internal Network Defense model Most organizations have expended large amounts of money and resources instrengthening their perimeter defenses, primarily through firewalls and similar network hardware mechanisms. Additionally, most organizations rely only on operating system security controls for the internal networks, not applyingstrong internal security controls. The lack of strong internal security controls is highlighted when the internal network and systems suffercatastrophic failure when attackers, malware, and, most destructively, worm viruses make their way into the network inside the defensive perimeter. This is the classic "eggshell" weakness of network security, hard and crunchy on the outside, soft and chewy on the inside. The Strong Internal Network Defense (SIND) model attempts to address this key vulnerability through the applicationof hard internal defenses through network hardware. OverviewConsider the following example of a simplified network. The network is divided into two subnets; one subnet contains all of the client systems, while the second subnet contains all of the servers. The client subnet and the server subnet are separated by a session based, stateful, packet filtering firewall. The firewall is unidirectional; it only permits traffic that is initiated from a client to a server. Servers are allowed to reply to clients, but they cannot initiate communication, TCP or UDP, to a client.Surprisingly, this example does not break Microsoft or most application [*1] protocols. The result is counterintuitive, but analysis and testing supportthis assertion.In addition to the firewall, the client systems are fully isolated from eachother by layer 2 controls (private vlans). The servers may be similarlyisolated, but doing so is minimally effective and damaging to server to servercommunications.Consider the introduction of a zero day worm virus [*2] into such a network by an infected client. The client can attack all of the servers, and all of the servers may become infected. The infected client can not attack any of the other clients because of the layer 2 isolation. The infected servers can not attack any of the clients because of the firewall. The end result is that one client and the servers, a small subset of the organization, are infected. Thisis much less devastating, and much easier to clean up, than if the entire network was infected.[*1] MAPI, the protocol used by MS Exchange clients (outlook) and the serverhas a quirk, acknowledged by Microsoft, affecting new mail notification. Despite the presence of a perfectly capable TCP connection from client toserver, the server sends a small “new mail notification” message to the client from a random high port, UDP, to a dynamic high port on the client. Microsofthas acknowledged the issue, as highlighted by using clients through a NAT gateway, but does not give an indication that they care to fix it.[*2] The infamous “zero day worm virus” is invoked as a worse case analysis because it invalidates anti-virus and patch defense mechanisms. Since worms are increasingly targeting necessary network ports, personal firewalls are also equally invalidated as a defense mechanism. Marcus can gleefully dance ontheir graves. AnalysisThe primary design of the model is to focus security resources on the servers. No organization can reasonably maintain strict control over client systems, butthey do have absolute control over making sure that servers are currentlypatched and running the latest AV signatures. The need to keep client systems on the patch and AV treadmill is greatly diminished. Client systems can not directly affect the security of other clients systems, they can only attempt toharm the servers and themselves.Application protocols that are broken are peer to peer systems and any kind ofdesktop file sharing. This is strongly viewed as a good thing in mostorganizations. If I was an attacker going after juicy data the first place Iwould look is the poorly secured desktops of the CEO and CFO. Since manyorganization appear to be IDS blind on client segments, I’d probably fly underthe radar as well.The model can be easily supplemented with port and protocol restrictions tofurther protect the servers from the clients.The model is very easily scalable, the example is for demonstration purposes. Research suggests the addition of: a tightly protected “master server” segment, for servers that query clients (server -> client protocols, security scanners,dhcp, backup servers?); a resources segment for things only used by theservers, like printers; the Internet (duh!); and something intuitive keeps wanting to separate out authorization servers (Domain Controllers) as well.Draw circles on the white board for each segment with arrows to model thefirewall, any arrows that point at the clients have the potential to infect theentire organization, you’ve been warned. With good IP space management, the model should scale across a WAN. Questions? (aka, what have I missed?) Chris _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
-- Kevin Sheldrake MEng MIEE CEng CISSP Electric Cat (Cheltenham) Ltd _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Defense in Depth to the Desktop, (continued)
- Re: Defense in Depth to the Desktop Magosányi Árpád (Dec 07)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 07)
- Re: Defense in Depth to the Desktop Magosányi Árpád (Dec 11)
- protection models Chris Pugrud (Dec 11)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 07)
- Re: Defense in Depth to the Desktop Magosányi Árpád (Dec 07)
- Re: Defense in Depth to the Desktop Rogan Dawes (Dec 07)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 07)
- RE: Defense in Depth to the Desktop Ben Nagy (Dec 07)
- RE: Defense in Depth to the Desktop Chris Pugrud (Dec 07)
- RE: Defense in Depth to the Desktop Scott Stursa (Dec 11)
- RE: Defense in Depth to the Desktop Chris Pugrud (Dec 11)
- RE: Defense in Depth to the Desktop Chris Pugrud (Dec 07)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 13)
- Re: Defense in Depth to the Desktop Paul D. Robertson (Dec 13)
- Re: Defense in Depth to the Desktop Frederick M Avolio (Dec 13)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 14)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 14)
- Re: Defense in Depth to the Desktop Paul D. Robertson (Dec 14)
- Re: Defense in Depth to the Desktop Devdas Bhagat (Dec 14)
- Re: Defense in Depth to the Desktop Paul D. Robertson (Dec 14)
- Re: Defense in Depth to the Desktop Devdas Bhagat (Dec 14)